Skip to content

Cloudflare Access IdP Setup

One-time steps to configure Cloudflare Zero Trust Identity Providers and extend the API token before running terraform apply for the docs site (docs_site.tf).

Run this runbook once per Cloudflare account. Terraform looks up the IdP UUIDs automatically at plan time via a data source — no manual UUID copying or Doppler secrets needed for IdP IDs.

Prerequisites

  • Cloudflare account admin access (Zero Trust > Settings + API Tokens)
  • Google Workspace admin access (to create the OAuth client in Google Cloud Console)
  • GitHub org admin access (to create the OAuth App under the unipuka org)
  • CLOUDFLARE_API_TOKEN already in Doppler oep.base (will be extended in Step 1)

Step 1: Extend the Cloudflare API token

The existing CLOUDFLARE_API_TOKEN is scoped to DNS editing only. Add Zero Trust permissions.

  1. Log in to dash.cloudflare.com
  2. Go to My ProfileAPI Tokens
  3. Find the token used by Terraform (name matches what you set; check the value in Doppler oep.base)
  4. Click Edit
  5. Under Permissions, add:
  6. Account / Access: Apps and Policies / Edit
  7. Account / Access: Identity Providers / Read
  8. Account / Cloudflare Pages / Edit (for cloudflare_pages_project + cloudflare_pages_domain)
  9. Zone / Zone Settings / Edit (for cloudflare_zone_setting SSL mode)
  10. Click Continue to summaryUpdate Token

No value change — token UUID stays the same. No Doppler update needed.

Step 2: Record the Cloudflare account ID

The cf_account_id local in tenants.tf needs the real value.

  1. In dash.cloudflare.com, select the unipuka account
  2. Go to any zone or the account home — the Account ID is in the right sidebar under "API"
  3. Copy the 32-char hex value

Edit unipuka-infra-do/oep-infra/tenants.tf:

cf_account_id = "<paste-the-account-id-here>"

Step 3: Create the Google Workspace (G Suite) IdP

  1. In dash.cloudflare.com, navigate to Zero TrustIntegrationsIdentity providers
  2. Click Add new → select Google Workspace
  3. Fill in:
  4. Name: unipuka Google Workspace
  5. App ID and Client secret: create an OAuth 2.0 Client in Google Cloud Console → APIs & Services → Credentials → Create credentials → OAuth client ID → Web application
    • Authorized redirect URIs: the CF form shows the exact callback URL once you open the Google Workspace IdP page — copy it from there. It follows the pattern https://<team-domain>.cloudflareaccess.com/cdn-cgi/access/callback where <team-domain> is your team name shown in Zero Trust → Settings → Custom Pages → Team domain (e.g. unipukahttps://unipuka.cloudflareaccess.com/cdn-cgi/access/callback).
    • Copy the Client ID and Client Secret
  6. Account: your Google Workspace account domain (e.g. unipuka.com)
  7. Click Save

Terraform looks up the IdP UUID automatically at plan time via the data.cloudflare_zero_trust_access_identity_providers data source - no need to copy the UUID manually.

Step 4: Create the GitHub IdP

  1. Go to Zero TrustIntegrationsIdentity providers
  2. Click Add new → select GitHub
  3. Fill in:
  4. Name: unipuka GitHub
  5. App ID and Client secret: create a GitHub OAuth App (org-level):
    • Application name: unipuka-cloudflare-access
    • Homepage URL: https://docs.unipuka.app
    • Authorization callback URL: same URL as above — copy from the CF GitHub IdP form, or use https://<team-domain>.cloudflareaccess.com/cdn-cgi/access/callback with your team domain from Zero Trust → Settings → Custom Pages
    • Click Register application → Generate a client secret
  6. Paste the Client ID and Client Secret into Cloudflare
  7. Click Save

Same as above - Terraform looks up the UUID automatically. No manual copy needed.

Step 5: Run terraform apply

cd unipuka-infra-do/oep-infra

# Plan — Terraform looks up IdP UUIDs automatically via the data source
direnv exec . doppler run --config base -- terraform plan

# Apply
direnv exec . doppler run --config base -- terraform apply

V&V

After terraform apply succeeds:

# CNAME resolves (CF returns CNAME chain when proxied)
dig +short CNAME docs.unipuka.app

# Unauthenticated request gets CF Access redirect (302 to cloudflareaccess.com)
curl -I https://docs.unipuka.app
  1. Open https://docs.unipuka.app in an incognito window — you should see the CF Access login screen showing Google Workspace and GitHub options.
  2. Log in with a @unipuka.com Google account → docs site loads.
  3. Log in with a non-@unipuka.com account + not in unipuka GitHub org → 403 "Access denied" page.
  4. Push a trivial commit to unipuka-infra-ops/master → CF Pages dashboard shows a new deployment within ~2 minutes (dash.cloudflare.com → Pages → unipuka-docs → Deployments).